Most organizations don’t do enough to educate users about computer security.

The main purpose of user education programs is to decrease human-factor risk substantially.
If they don’t accomplish that, the whole exercise is a waste of resources.
Such programs, if they exist at all, consist of a sort of security orientation program for new employees, with an annual update and refresher course lasting 15 minutes to an hour. Occasionally, you’ll see an in-house security newsletter and/or periodic Web posts that employees might read on a slow workday.[ Also on InfoWorld: Stop phishing in the C-suite. | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld’s Security newsletter. ]

Basically, we’re talking 30 to 90 minutes (on the high end) of security education for the entire year. Many companies have nothing — at least nothing formal.To read this article in full or to leave a comment, please click here